Internet Holes - Spam

Copyright (c), 1996, Management Analytics - All Rights Reserved

Series Introduction

The Internet is now the world's most popular network and it is
full of potential vulnerabilities. In this series of articles, we
explore the vulnerabilities of the Internet and what you can do to
mitigate them.

What is a Spam?

When hearing the word spam, people familiar with the foods made
popular beginning in or around World War two get a mental picture of a
canned ground-up meat product that can be spread on bread like crunchy
peanut butter. But in the Internet, a spam is something quite
different.

A spam is loosely defined the flooding of a system with unwanted
information. Spams in the form of unwanted and off-topic advertisements
are regularly posted to newsgroups and mailing lists, but there are many
other forms of spamming available in the Internet, and rarely do sites
have adequate anti-spamming defenses.

Some Recent Example Spams

Perhaps the most publicized spam of all time took the form of the
Internet virus of 1988, in which Robert Morris, Jr. caused a virus to
enter 60,000 computers uninvited. This is not generally thought of as a
spam, but by my loose definition, it fits.

A much more recent series of spams were perpetrated by a party or
parties unknown who decided to subscribe the Whitehouse, a Time magazine
editor, a New York Times reporter, two 'hacker' publications, MTV, and
others to about 2,000 Internet mailing lists. In this case, almost
5,000 new email messages per day were poured into the victim's mail
boxes, flooding their systems till they ran out of disk space, and
causing all manner of inconvenience. Unless you have an automated
unsubscriber program or some other defense, it takes about a week to get
unsubscribed, and of course with an automated subscriber program, you
can subscribe several people per day to each of these lists from a PC at
home.

A different form of spam is the mailing of massive volumes of
useless information to a recipient from a single source. For example,
one person threatened to email me the complete sources to the GNU Unix
system, an activity that would tie up my Internet link for hours and
probably run me out of disk space if I didn't have a defense.

Yet another form of a spam is an attack called a DCA (for details of
such an attack, you will have to look on our Web server or wait for the
journal article to come out). In a DCA, groups of people may force
computers at hundreds or even thousands of sites to pester you, or in
some cases, to launch serious attacks that are very hard to trace back
to their sources.

In the real-world, spams might include forms of harassment such as
subscribing you to 5,000 different magazines using "first issue free"
offers and the like. I hope you get the idea by now.

What Can We Do About It?

The underlying reason we have spams in the Internet is that we don't
have good integrity mechanisms. Now at first, this may seem a bit
confusing. After all, a spam basically invades your privacy by forcing
excessive noise (in an informational sense) on you. You would think
that the reason would be a lack of adequate confidentiality protection,
but it is integrity that can eliminate spams, not secrecy.

The reason integrity can eliminate many spams is two-fold. It can
prevent many spams because it prevents someone claiming to be you from
subscribing as you to a mailing list (or 2,000 of them). But even more
importantly, it can provide the means to record the source of
information, so that when a spam takes place, the person responsible can
be easily identified. Once we catch perpetrators and punish them, the
number of spams will be dramatically reduced.

Since the Internet has little or no integrity protection built into
it, here are some suggestions on how to eliminate many spams from the
Internet:

Email spams can be eliminated by refusing large-volume email from
unknown senders. Whenever email arrives from a new sender, the user is
told about it, and further email from the same sender is refused until
and unless the recipient signals the system to allow ongoing email from
that source. In this way, the user is notified of new senders and has
the chance to refuse them or listen to them. The user should also be
able to refuse further email from a recipient at a later date by
changing the setting associated with that user. Since most legitimate
first-time connections involve only a single piece of mail, the normal
sender would never even notice this mechanism.

Automated email spams can also be prevented by sending back a
"user ID" to the sender of email which must be used in subsequent
communications. This is far less convenient than the first solution,
but it would cut off all email from mailing lists unless they were
explicitly allowed by being placed on an allowable user list.

Mailing lists could eliminate their use in signup spams rather
easily. Instead of the single signon protocol they use now, they could
send a confirmation email to the proposed list member. The new member
would have to reply before being added to this list. This would be a
simple and effective method of limiting email spams to one notification
per list.

Spams sent to mailing lists are also a problem, but these were
discussed one of our earlier articles on NNTP.

For the techies among us, there is always the extensive use of
digital signatures. If every email were signed, we could authenticate
sources before allowing them to post to lists, and trace them back to
their sources.

Summary

Spams can be a serious problem in the Internet, but there are enough
solutions to the most common spams that we don't have to suffer. We do
have to plan. Once a spam is underway, it takes a lot of effort to undo
the damage unless you were ready and waiting for it.